azureterraformazure-virtual-networkazurecaf

How to stop Azure CAF advertising 0.0.0.0 over ExpressRoute


When using the Azure CAF, at some point when your all setup and ready to go, you have to connect it to your organisation.

I imagine that simply plugging an Azure CAF platform that has a 0.0.0.0 route advertisement into a corporate network that already has a 0.0.0.0 would result in some undesired behaviour?

What would be the preferred/most correct way to stop 0.0.0.0 being advertised over ExpressRoute into your on-prem?

Should we attempt to atop the advertisement on the Azure side, or filter the BGP on the on-prem networking side?

The doc doesn't really seem to have much to say on the subject.

Has anyone had to deal with this?


Solution

  • Stoping Azure CAF advertising 0.0.0.0 over ExpressRoute

    There is no better direct way to fix this from our end Azure doesn't have native outbound route filtering so to manage this from the on premises BGP configuration is approach we can say.

    So, the final conclusion of the requirement mentioned is that there is no better way to do this other than to fix it with the correct BGP on-premises and move on.

    To do this from on-premisus side

    demo configuration:

    route-map BLOCK_DEFAULT_ROUTE deny 10
      match ip address prefix-list DEFAULT_ROUTE
    route-map ALLOW_OTHER_ROUTES permit 20
    
    ip prefix-list DEFAULT_ROUTE seq 5 permit 0.0.0.0/0
    
    router bgp <YOUR_AS_NUMBER>
      neighbor <AZURE_PEER_IP> route-map BLOCK_DEFAULT_ROUTE in
    

    Refer:

    On-premises expressroute BGP is advertising 0.0.0.0/0 and using Azure Firewall to control traffic (including internet) - Microsoft Q&A answered by Ganesh Patapati .

    https://learn.microsoft.com/en-us/azure/expressroute/expressroute-routing